Sorry

Security professionals are playing defense against cybercrime, and often feel outgunned by tech-savvy hackers and insiders out to steal sensitive data from within the business. They see a shortage of qualified security personnel to call on, but also believe that threat-detection tools are getting better.

Those were sentiments shared today by security experts from two large financial services companies, Citi and AIG, together with a special agent of the FBI at a panel discussion at Pace University in New York. When asked about the kind of things that worry them most, they were quick to point to the kind of attacks that are hard to stop and the difficulty in chasing cybercriminals around the globe.

“Zero-day vulnerabilities bringing down the network,” said Bernadette Gleason, North American eCrime laboratory manager at Citi. Use of zero-day attacks by cybercriminals give them the advantage because they can exploit unknown vulnerabilities. “We’ve seen this happen and try to mitigate against it.”

Like many businesses, Citi applies a defense-in-depth strategy but there’s also the realization that the financial services industry has to do better at “consumer awareness” by helping educate the public more about cybercrime, without confusing people with technical terms, she added.

“I worry about the hacktivists and nation states,” said Robert Zandoli, senior vice president in the global chief information security office of AIG.

Zandoli said one of the main challenges today is that a large company gets billions of alerts from security tools, but then struggles to determine the top priorities. But Zandoli expressed optimism that the security industry is making advances. He also said the idea of “dynamic defense” where security tools can monitor and see anomalies and react automatically is evolving.

FBI special agent Charles Gilgen acknowledged that for law enforcement, being reactive, the challenge pertains to the global nature of cybercrime across national boundaries, where an innocent-looking e-mail loaded with malware can begin the attacker’s incursion into business networks. But the FBI is beefing up its cyber division, he added, with plans to add 1,000 analysts next year.

Gilgen cautioned to be on the watch for the insider stealing data, noting that some tell-tale signs can be a person, especially someone with personal or financial problems, who suddenly takes to sitting at someone else’s computer or starts asking unexpected questions. This might be harmless, but can be indicators of insider threat troubles, he said.

Gilgen also warned against taking computers with valuable proprietary data overseas where in some countries there are ongoing aggressive actions to steal it. He also added that the FBI is concerned that attackers are increasingly going after smaller U.S.-based companies that sometimes aren’t as well prepared as large businesses.

When asked about cloud computing and security, Citi’s Gleason offered her own advice, saying businesses should reasonably expect to be able to conduct some type of ethical hacking on the cloud service providers they want to use in order to test their security. Not only should that be in any contract, but also a provision that your business should be notified in the event the cloud service provider is hacked. She said companies should expect both their business partners and vendors, including security vendors, to make their security policies and practices plain since they are all close to valuable business data.

Zandoli said it’s certainly a concern that there is a shortage of security professionals to hire. But every company has to try and be a “hardened target” as best it can since the whole situation is akin to “a cyberwar and surprise is a great advantage for adversaries.”

This situation of constant threats and attacks means “unfortunately, the bad guys are often one step ahead of us,” acknowledged Gleason, which she added, makes cybersecurity a job interesting though occasionally depressing.